Let's say I want to create private archives for the long term (e.g. more than 30 ). The archives' sizes could be anywhere from 1 GB to 30 GB. As far as I understand I could go down two ways:

The first would be for example using plain AES-256 encryption in CTR mode with a random key stored on paper.

The second, more suitable solution for backups, is using the Offline Private Key Protocol, e.g. generate a 4096 bit RSA key pair and encrypt with random AES-256 keys that get stored with the archives (key-wrapping) while the private part is again stored on paper. Kind of like Safeberg does.

My question is which of the two methods would be least susceptible to currently envisioned attacks in the next 30 years, coming from adversaries with resources such as your average government (i.e. not the NSA). What about quantum computing? Additionally I would like to know if there are any other, better alternatives or any improvements that I could make to both ideas without changing their practicality.

Thus, even without considering the relative likelihoods of these events occurring within the next 30 years, it is clear that the AES-only solution cannot be any less secure than the RSA+AES one.

Of course, the RSA+AES solution has the practical advantage that the system performing the bulk of the work (AES encryption of data) need not know your secret RSA key (although they will, of course, still need access to the AES key used to actually encrypt the data, not to mention the data itself). You will need to decide for yourself whether this extra feature outweighs the risk of complicating your system by introducing an extra point of potential failure.

I am wondering then if, given a zero probability that the public RSA key is leaked from the bulk encryption system, how much less secure the RSA+AES solution will be. I've asked this as a separate question.
–
koukApr 29 '13 at 7:16